CVE-2026-21901 in Junos OS
Summary
by MITRE • 07/10/2026
A NULL Pointer Dereference vulnerability in the management daemon (mgd) of Juniper Networks Junos OS and Junos OS Evolved allows a local, high-privileged attacker setting or deactivating a specific SSH configuration parameter to create a Denial of Service (DoS).
A local high-privileged user configuring or deactivating a specific 'system services ssh' configuration parameter can exploit a null pointer dereference in one of the functions used by SSH. The function attempts to dereference a null pointer when accessing certain configuration data, resulting in an mgd process crash and restart. Continued execution of these configuration commands will create a sustained Denial of Service (DoS) condition.
This issue affects: Junos OS:
* from 22.3 before 22.3R3-S5; * from 22.4 before 22.4R3-S10; * from 23.2 before 23.2R2-S7; * from 23.4 before 23.4R2-S8.
This issue does not affect Junos OS before 22.3R1.
Junos OS Evolved: * from 22.3R1-EVO before 23.2R2-S7-EVO; * from 23.4 before 23.4R2-S8-EVO.
This issue does not affect Junos OS Evolved before 22.3R1-EVO.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/10/2026
The vulnerability under examination represents a critical null pointer dereference flaw within the management daemon mgd of Juniper Networks Junos OS and Junos OS Evolved platforms. This issue manifests when specific SSH configuration parameters are manipulated through the system services ssh section, creating a condition where the mgd process becomes unstable and terminates unexpectedly. The root cause stems from improper validation of configuration data pointers during SSH service handling operations, particularly when processing certain parameter changes that trigger internal function calls without adequate null checks.
The technical exploitation pathway involves a local high-privileged user executing configuration commands that modify the 'system services ssh' parameters within the Junos OS environment. When these commands are processed, the underlying management daemon invokes functions that attempt to dereference memory pointers which have not been properly initialized or validated, resulting in immediate process termination and subsequent automatic restart. This creates a cascading effect where repeated execution of the vulnerable configuration commands maintains the DoS condition, effectively preventing legitimate administrative operations from completing successfully.
From an operational impact perspective, this vulnerability severely compromises system availability and reliability for Juniper network devices running affected software versions. The sustained denial of service condition not only prevents normal configuration management but also potentially disrupts ongoing network operations that depend on SSH connectivity for device management. Network administrators face the challenge of maintaining consistent access to their managed devices while attempting to apply necessary security configurations or operational changes, creating a paradoxical situation where the very actions intended to secure the system become the source of its instability.
The vulnerability aligns with CWE-476, which specifically addresses null pointer dereference conditions in software implementations. From an ATT&CK framework perspective, this represents a privilege escalation and denial of service technique that leverages local administrative access to create persistent availability issues within network infrastructure. The exploitation requires only local high-privileged access, making it particularly concerning for environments where administrative accounts may be compromised or where least privilege principles are not strictly enforced.
Mitigation strategies should prioritize immediate deployment of vendor-supplied patches addressing the specific null pointer dereference in the mgd process handling SSH configuration parameters. Network administrators must also implement strict access controls and monitoring around high-privileged account usage, particularly for configuration changes involving system services. Additionally, implementing redundant management paths and ensuring proper backup procedures can help maintain operational continuity during patch deployment windows. The affected versions indicate this vulnerability has existed across multiple release branches, emphasizing the need for comprehensive vulnerability assessment and coordinated patch management across all Juniper network infrastructure components.